Preventing ID theft can be costly for businesses

Friday

Nov 21, 2008 at 12:01 AMNov 21, 2008 at 6:02 PM

Small-business owners and advocates told a legislative committee Wednesday they are worried about the financial burden the state's proposed identity theft protection regulations would place on them, reminding lawmakers that in business, one size does not fit all.

Kelsey Abbruzzese

Small-business owners and advocates told a legislative committee Wednesday they are worried about the financial burden the state's proposed identity theft protection regulations would place on them, reminding lawmakers that in business, one size does not fit all.

"In these tough economic times, when you look at small business, the fact is, it's going to be a burden," said Dan Foley of the Massachusetts Association of Insurance Agents. "I really believe the regulation itself should be put off for another year."

The Joint Consumer Protection and Professional Licensure Committee hearing was held to address concerns about regulations requiring encryption of documents, such as consumers' personal and financial information sent over the Internet, saved on laptops or flash drives, and wirelessly transmitted data.

The new regulations also mandate the use of up-to-date firewall protection and certification from third-party vendors.

The regulations were to be implemented on Jan. 1, but the Office of Consumer Affairs and Business Regulation changed the date last week to provide flexibility for businesses "that may be experiencing financial challenges brought on by national and international economic conditions."

The date for general compliance and ensuring third-service providers can protect personal information is now May 1, 2009; the deadline for encrypting laptops is Jan. 1, 2010.

Still, many at the hearing said the regulations did not offer flexibility for businesses. Small businesses would have to hire outside technology consultants and install new systems.

Consumer Affairs Undersecretary Daniel Crane said he understood concerns about costs to small businesses, but these organizations still had to protect personal information.

"The problem is, you don't have to have a lot of employees to have data that's sensitive," he said.

State officials received reports of nearly 320 incidents since August 2007 that compromised or threatened to compromise personal information of 625,365 Massachusetts residents. The consumer affairs office stated that 60 percent of the cases involved criminal or unauthorized acts, with a high rate of stolen laptops or hard drives.

Arthur Fair, president of Fair and Yeager Insurance in Natick, said he believed these new regulations were prompted by security breaches at companies including Hannaford's supermarkets and Framingham-based TJX. Fair wrote a letter to the administration after hearing of the regulations from his local trade association, asking to extend the deadline.

"We didn't even know about them until a month ago," Fair said. "By Jan. 1, no one would have complied because they didn't know about it."

Fair, who employs 28 people, said he has independent computer specialists check his security. There will be an added cost to implement new systems, he said.

Identity protection became a central issue last year when at least 200,000 credit and debit card numbers were stolen from TJX's computer system.

Spokeswoman Annmarie Farretta said the company is now fully compliant with security standards "in advance of many other retailers."

While TJX is a larger business in MetroWest, Ted Welte, president of the MetroWest Chamber of Commerce, sees more difficult financial implications for area small businesses. The chamber has a data security workshop set for Nov. 25, he said.

"It's important for the protection of the public and business records, but obviously it is also very costly," Welte said. "It's good that the state has understood the implications of this for smaller businesses, and even mid-sized businesses, in these challenging times."

MetroWest Daily News

Never miss a story

Choose the plan that's right for you.
Digital access or digital and print delivery.